Use integrated identity information to create and manage identities and control access to enterprise resources. We provide identity and access management, single sign-on (SSO), access governance, and more.

Detect and respond to all potential threats quickly and decisively. By monitoring user activities, security events, and critical systems, we provide actionable security intelligence to reduce the risk of data breach.

Setting up an IDM LDAP-driver to synchronize data between eDirectory and Sun Directory Server Enterprise Edition

This article will try to detail the process of setting up a working SSL-encrypted connection with the LDAP-driver to Sun DSEE 6.3 running on Windows. I assume the reader has experience with IDM/eDirectory/iManager. If you are interested what those commands that you find in this document really do I recommend downloading the DSEE documentation set.

The reason I wrote this is because I needed to get a test environment working for the LDAP-driver together with Sun DSEE and I had some trouble trying to set up the SSL part because the LDAP-driver documentation details the steps for the Netscape Directory Server which is what DSEE was called a couple of versions ago. According to Father Ramon in the IDM forum:

“Sun DSEE is rename/derived from Sun Java System Directory, which was rename/derived from Sun One Directory Server, which was renamed rename/derived from iPlanet Directory Server (a collaboration between Sun and Netscape), which was rename/derived from Netscape Directory Server. “

In this example I have a two VMware machines, one is running SLES 10 SP1 with eDirectory 8.8.2 and IDM 3.5.1, it has IP-address 192.168.0.100, the other one is running Windows Server 2003 with Active Directory and Sun DSEE 6.3 with IP 192.168.0.101.

Now we’ll get to the process of setting up the driver, first I had to install the IDM Remote Loader on the Windows machine, I won’t detail the install since it’s already well documented and mostly consists of clicking Next… After installing the Remote Loader you might want to patch the LDAP-driver with the latest patch from Novell.

In the Remote Loader Console I clicked on Add and created a Remote Loader instance with the following configuration:

Next, click on the DSCC link at the bottom.
If you did not run the “dsccsetup.exe initialize” command then you will be asked to initialize DSCC, enter a password.

A pop up window will open and the DSCC will initialize it’s configuration. When it’s done click Close and Continue. Now you are in the Control Center which you use to administer DSEE using a GUI. There is also a command line tool called “dsadm”.

If you are running another LDAP server on the same machine that uses the default 389/636 port combination you have to enter another port number, in my case 1389 and 1636. The Instance Path is where the database files will be located, it must not exist.

If the server is a AD domain controller you need to enter the Runtime User ID in the following format:

Now that I’ve created the instance and the suffix I wanted to test connectivity by authenticating using an LDAP browser, I used Apache Directory Studio to connect to my server on the SSL port 1636 with the “cn=Directory Manager” as username, you could say that’s the admin user, I also had to specify the base DN, in my case that was the DN of the suffix, o=Atlas.

The next step is to configure the DSEE services to start automatically when Windows starts.

First create an empty text file named

password.txt

and place it under C:\
Edit it and enter the password of the administrator user, in my case of the domain administrator, IDM360\Administrator. Just the password, nothing else.

Now from the

C:\Program Files\Sun\JavaES5\share\cacao_2\bin

directory run this command:

cacaoadm.bat enable -i default -f c:\password.txt

This will create a new service, in my case it was named Common Agent Container 2 (864cfa27:default) but I was not able to start it.

I had to go to the Domain Controller Security Policy under Administrative Tools on the Control Panel, select Local Policies, User Rights Assignment, Log on as a service and add my user to that list, then I ran the gpupdate command and I was able to start my new service!

Now, to enable the DSEE instance and the DSCC instance to start as a service CD to the

C:\Program Files\Sun\JavaES5\DSEE\ds6\bin

directory.

Type the following commands, change c:\sundsee to the path of your installed instance:

Next I need to configure the DSEE to accept SSL-connections from the IDM LDAP-driver.

Logon to the DSCC, select Directory Servers, click on the server, in my case IDM36:1389
Click on the Security tab. If you get an error about authentication like I did click on it to update the credentials and type in the username in the format: DOMAIN\USERNAME, in my case: IDM360\Administrator.

Click on the Certificates tab.
We will now generate a new certificate request.

In the filename field browse to the LdapDriverCertCSR.txt file.
Click Next.
Select SSL or TLS as key type.
I also selected Extended key type: Any
Click Next.

I selected the certificate type as Certificate Authority and Path length as Unspecified.

Select a validity period and click Next.

Select: Save to: File in Base64 format

Save the file LdapDriverCertCSR.b64 to your computer.

Next go back to DSCC and click on Add next to the Request CA-Signed button.
Enter a certificate name and open the b64 file in a text editor, copy and paste the entire content into the new DSCC window where it says certificate.

Now, back again to DSCC, click on the CA Certificates tab, click Add.
A new window will open.
Enter a name that will identify your trees CA certificate. Open your TrustedRoot.b64 and copy and paste the content into the Certificate field.

Now click on the Security tab in DSCC and on the General page change the SSL Settings. There is an option called Certificate:, change it from Default Certificate to LdapDriverCert (the name you gave your eDirectory signed certificate.) Click Save, you will get a message telling you to restart the service, do it again.

Now I have to proceed with the step that is labeled “7.6.2 Importing into the Client’s Certificate Store” in the LDAP Driver documentation.

It details the steps needed to import the eDirectory trusted root certificate into a keystore that the driver uses.

For this I’m using a Java based GUI tool named KeyTool IUI that can be downloaded from here:

http://yellowcat1.free.fr/index_ktl.html

You need to have JRE 1.6+ installed to start it, after extracting the ZIP-file I had to edit the

After deploying the driver and setting the security equivalence my driver started nicely. If you have any problems raise the trace level on the Remote Loader to see what’s happening when it tries to connect.

Now we have the driver running and syncing BUT what if I don’t want to use the eDirectory generated certificate for my Sun DSEE server? What if I want to use DSEE own certificate?
Well, I’ll explain how to accomplish that too.

Using DSEE certificates in the driver instead of the eDirectory certificates

We are going to use openssl.exe to extract the public key from the DSEE certificate since I don’t know how to export just the public key (tips are welcome).

Now we are going to export the Sun DSEE default certificate, yes more import/export…

In DSCC, Security, Certificates, check Default Certificate (or the one you want to use), More Certificate Actions, Export
My Export Path was: C:\suncert
You’ll be asked to set a PKCS#12 password.

Now you have a PKCS12 file that contains both the private and the public key.

In DSCC, Security > General > Certificate: change back from LdapDriverCert (or whatever you named your eDirectory generated certificate) to Default Certificate or another cert. you want to use. Save and restart the DSEE service.

After that we run the command:

openssl pkcs12 -in c:\suncert -out sunpublickey.pem -clcerts -nokeys

This command extracts the public key from our DSEE certificate.

Now open that .PEM file in a text editor and remove everything from the beginning so you just have something that begins with —–BEGIN CERTIFICATE—– and so on. Save the file. Now use KeyTool IUI to import the .PEM file into our keystore file (Import > Keystore’s entry > Trusted Certificate > Regular Certificate).

When you’re done restart the driver to test if it works as it should.

So there you have it, how to set up your own test environment instance of Sun DSEE and configure the IDM LDAP-driver for SSL communications in two ways, with the eDirectory generated certificate or with the DSEE generated certificate.

Remember, if you are running the remote loader as I am there are two connections that you may need to secure, the one from IDM to the Remote Loader, you can activate SSL on that too and it’s really easy. Then there is the connection from the driver shim and the LDAP server which what this document is about.

(0 votes, average: 0.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.